fix(security): gate AI tools by user ability and block admin-URL SSRF

The AI chat assistant scoped tool queries by company but ignored the
per-user Bouncer abilities the rest of the app enforces, so any `use ai`
holder could read customers, invoices, payments, and company financials
their role couldn't otherwise see. Each AiTool now declares a required
ability (entity-aligned); the registry hides unauthorized tools from the
model and refuses to execute them as a backstop.

Separately, admin/owner-supplied URLs were fetched server-side with no
guard against private/reserved targets (SSRF): the AI base URL, the
CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk
endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl
validation rule (save-time) and runtime guards in each driver.

- AiTool::requiredAbility() + mapping across all 12 tools
- AiToolRegistry filters schemas() by ability and re-checks in execute()
- PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new)
- Rule wired into AI config (service + 3 controllers), exchange-rate,
  and file-disk endpoints; runtime guards in OpenRouterDriver,
  CurrencyConverterDriver, and FileDiskService
- Tests for ability filtering, the guard, the rule, and 422 rejections
This commit is contained in:
Darko Gjorgjijoski
2026-06-05 00:01:09 +02:00
parent 3df2a01832
commit ac2a8ca939
37 changed files with 1052 additions and 74 deletions

View File

@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Setup;
use App\Http\Controllers\Controller;
use App\Models\Setting;
use App\Rules\PublicHttpUrl;
use App\Services\AiConfigurationService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
@@ -51,7 +52,7 @@ class AiConfigurationController extends Controller
'ai_enabled' => 'required|in:YES,NO',
'ai_driver' => 'required_if:ai_enabled,YES|nullable|string',
'ai_api_key' => 'required_if:ai_enabled,YES|nullable|string',
'ai_base_url' => 'nullable|string|url',
'ai_base_url' => ['nullable', 'string', 'url', new PublicHttpUrl],
'ai_chat_enabled' => 'nullable|in:YES,NO',
'ai_chat_model' => 'nullable|string|max:200',
'ai_text_generation_enabled' => 'nullable|in:YES,NO',